Description

Variables $_POST['username'] and $_POST['password'] are not properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code and log in without password.